

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>ceph-authtool – ceph 密钥环操作工具 &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/css/custom.css" type="text/css" />

  
  
    <link rel="shortcut icon" href="../../../_static/favicon.ico"/>
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../../" src="../../../_static/documentation_options.js"></script>
        <script src="../../../_static/jquery.js"></script>
        <script src="../../../_static/underscore.js"></script>
        <script src="../../../_static/doctools.js"></script>
    
    <script type="text/javascript" src="../../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../../genindex/" />
    <link rel="search" title="Search" href="../../../search/" />
    <link rel="next" title="ceph-clsinfo – 查看类对象信息" href="../ceph-clsinfo/" />
    <link rel="prev" title="ceph – Ceph 管理工具" href="../ceph/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    

















<div role="navigation" aria-label="breadcrumbs navigation">

  <ul class="wy-breadcrumbs">
    
      <li><a href="../../../" class="icon icon-home"></a> &raquo;</li>
        
          <li><a href="../../../rados/">Ceph 存储集群</a> &raquo;</li>
        
          <li><a href="../../../rados/man/">对象存储手册页</a> &raquo;</li>
        
      <li>ceph-authtool – ceph 密钥环操作工具</li>
    
    
      <li class="wy-breadcrumbs-aside">
        
          
            <a href="../../../_sources/man/8/ceph-authtool.rst.txt" rel="nofollow"> View page source</a>
          
        
      </li>
    
  </ul>

  
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../../">
          

          
            
            <img src="../../../_static/logo.png" class="logo" alt="Logo"/>
          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../../start/intro/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../install/">安装 Ceph</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../cephadm/">Cephadm</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../../../rados/">Ceph 存储集群</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../../../rados/configuration/">配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../rados/operations/">运维</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="../../../rados/man/">    手册页</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="../ceph-volume/">ceph-volume – Ceph OSD 部署和检查工具</a></li>
<li class="toctree-l3"><a class="reference internal" href="../ceph-volume-systemd/">ceph-volume-systemd – systemd ceph-volume 辅助工具</a></li>
<li class="toctree-l3"><a class="reference internal" href="../ceph/">ceph – Ceph 管理工具</a></li>
<li class="toctree-l3 current"><a class="current reference internal" href="#">ceph-authtool – ceph 密钥环操作工具</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#id1">提纲</a></li>
<li class="toctree-l4"><a class="reference internal" href="#id2">描述</a></li>
<li class="toctree-l4"><a class="reference internal" href="#id3">选项</a></li>
<li class="toctree-l4"><a class="reference internal" href="#id4">能力</a></li>
<li class="toctree-l4"><a class="reference internal" href="#osd">OSD 能力</a></li>
<li class="toctree-l4"><a class="reference internal" href="#id5">能力文件的格式</a></li>
<li class="toctree-l4"><a class="reference internal" href="#id6">实例</a></li>
<li class="toctree-l4"><a class="reference internal" href="#id7">使用范围</a></li>
<li class="toctree-l4"><a class="reference internal" href="#id8">参考</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../ceph-clsinfo/">ceph-clsinfo – 查看类对象信息</a></li>
<li class="toctree-l3"><a class="reference internal" href="../ceph-conf/">ceph-conf – ceph 配置文件工具</a></li>
<li class="toctree-l3"><a class="reference internal" href="../ceph-debugpack/">ceph-debugpack – ceph 调试信息打包工具</a></li>
<li class="toctree-l3"><a class="reference internal" href="../ceph-dencoder/">ceph-dencoder – ceph 编码器/解码器工具</a></li>
<li class="toctree-l3"><a class="reference internal" href="../ceph-mon/">ceph-mon – ceph 监视器守护进程</a></li>
<li class="toctree-l3"><a class="reference internal" href="../ceph-osd/">ceph-osd – ceph 对象存储守护进程</a></li>
<li class="toctree-l3"><a class="reference internal" href="../ceph-kvstore-tool/">ceph-kvstore-tool – ceph 的 kvstore 操作工具</a></li>
<li class="toctree-l3"><a class="reference internal" href="../ceph-run/">ceph-run – 发生核心转储后重启守护进程</a></li>
<li class="toctree-l3"><a class="reference internal" href="../ceph-syn/">ceph-syn – ceph 的人造负载生成器</a></li>
<li class="toctree-l3"><a class="reference internal" href="../crushdiff/">crushdiff – ceph crush 图测试工具</a></li>
<li class="toctree-l3"><a class="reference internal" href="../crushtool/">crushtool – CRUSH 图操作工具</a></li>
<li class="toctree-l3"><a class="reference internal" href="../librados-config/">librados-config – 显示关于 librados 的信息</a></li>
<li class="toctree-l3"><a class="reference internal" href="../monmaptool/">monmaptool – ceph 监视器运行图操作工具</a></li>
<li class="toctree-l3"><a class="reference internal" href="../osdmaptool/">osdmaptool – ceph osd 运行图操作工具</a></li>
<li class="toctree-l3"><a class="reference internal" href="../rados/">rados – rados 对象存储工具</a></li>
<li class="toctree-l3"><a class="reference internal" href="../ceph-post-file/">ceph-post-file – 把文件上传给 ceph 开发者</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../../rados/troubleshooting/">故障排除</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../rados/api/">APIs</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../cephfs/">Ceph 文件系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../radosgw/">Ceph 对象网关</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../dev/developer_guide/">开发者指南</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../dev/internals/">Ceph 内幕</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../ceph-volume/">ceph-volume</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../security/">Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <div class="section" id="ceph-authtool-ceph">
<h1>ceph-authtool – ceph 密钥环操作工具<a class="headerlink" href="#ceph-authtool-ceph" title="Permalink to this headline">¶</a></h1>
<div class="section" id="id1">
<h2>提纲<a class="headerlink" href="#id1" title="Permalink to this headline">¶</a></h2>
<div class="line-block">
<div class="line"><strong>ceph-authtool</strong> <em>keyringfile</em>
[ -l | –list ]
[ -p | –print-key ]
[ -C | –create-keyring ]
[ -g | –gen-key ]
[ –gen-print-key ]
[ –import-keyring <em>otherkeyringfile</em> ]
[ -n | –name <em>entityname</em> ]
[ -a | –add-key <em>base64_key</em> ]
[ –cap <em>subsystem</em> <em>capability</em> ]
[ –caps <em>capfile</em> ]
[ –mode <em>mode</em> ]</div>
</div>
</div>
<div class="section" id="id2">
<h2>描述<a class="headerlink" href="#id2" title="Permalink to this headline">¶</a></h2>
<p><strong>ceph-authtool</strong> 工具用于创建、
查看和修改 Ceph 密钥环文件。密钥环文件内存储着一或多个 Ceph 认证密钥、
可能还有被授予的能力。每个密钥都与其类型名关联，
格式为 <code class="docutils literal notranslate"><span class="pre">{client,mon,mds,osd}.name</span></code> 。</p>
<p><strong>警告：</strong> 在私钥保护得当的前提下，
Ceph 能提供认证和防中间人攻击的保护。
然而，传输中的数据是未加密的，
这些数据中可能就有配置密钥的消息。
此系统意在运行于可信环境中。</p>
</div>
<div class="section" id="id3">
<h2>选项<a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h2>
<dl class="std option">
<dt id="cmdoption-ceph-authtool-l">
<span id="cmdoption-ceph-authtool-list"></span><code class="sig-name descname"><span class="pre">-l</span></code><code class="sig-prename descclassname"></code><code class="sig-prename descclassname"><span class="pre">,</span> </code><code class="sig-name descname"><span class="pre">--list</span></code><code class="sig-prename descclassname"></code><a class="headerlink" href="#cmdoption-ceph-authtool-l" title="Permalink to this definition">¶</a></dt>
<dd><p>列出密钥环内的所有密钥及其能力</p>
</dd></dl>

<dl class="std option">
<dt id="cmdoption-ceph-authtool-p">
<span id="cmdoption-ceph-authtool-print-key"></span><code class="sig-name descname"><span class="pre">-p</span></code><code class="sig-prename descclassname"></code><code class="sig-prename descclassname"><span class="pre">,</span> </code><code class="sig-name descname"><span class="pre">--print-key</span></code><code class="sig-prename descclassname"></code><a class="headerlink" href="#cmdoption-ceph-authtool-p" title="Permalink to this definition">¶</a></dt>
<dd><p>打印指定条目的已编码密钥，它适合作为 <code class="docutils literal notranslate"><span class="pre">mount</span> <span class="pre">-o</span> <span class="pre">secret=</span></code>
的参数</p>
</dd></dl>

<dl class="std option">
<dt id="cmdoption-ceph-authtool-C">
<span id="cmdoption-ceph-authtool-c"></span><span id="cmdoption-ceph-authtool-create-keyring"></span><code class="sig-name descname"><span class="pre">-C</span></code><code class="sig-prename descclassname"></code><code class="sig-prename descclassname"><span class="pre">,</span> </code><code class="sig-name descname"><span class="pre">--create-keyring</span></code><code class="sig-prename descclassname"></code><a class="headerlink" href="#cmdoption-ceph-authtool-C" title="Permalink to this definition">¶</a></dt>
<dd><p>创建新密钥环，覆盖已有密钥环文件</p>
</dd></dl>

<dl class="std option">
<dt id="cmdoption-ceph-authtool-g">
<span id="cmdoption-ceph-authtool-gen-key"></span><code class="sig-name descname"><span class="pre">-g</span></code><code class="sig-prename descclassname"></code><code class="sig-prename descclassname"><span class="pre">,</span> </code><code class="sig-name descname"><span class="pre">--gen-key</span></code><code class="sig-prename descclassname"></code><a class="headerlink" href="#cmdoption-ceph-authtool-g" title="Permalink to this definition">¶</a></dt>
<dd><p>为指定实体名生成新私钥</p>
</dd></dl>

<dl class="std option">
<dt id="cmdoption-ceph-authtool-gen-print-key">
<code class="sig-name descname"><span class="pre">--gen-print-key</span></code><code class="sig-prename descclassname"></code><a class="headerlink" href="#cmdoption-ceph-authtool-gen-print-key" title="Permalink to this definition">¶</a></dt>
<dd><p>为指定条目（ entityname ）生成新密钥，不会修改密钥环文件（
keyringfile ），只打印到标准输出。</p>
</dd></dl>

<dl class="std option">
<dt id="cmdoption-ceph-authtool-import-keyring">
<code class="sig-name descname"><span class="pre">--import-keyring</span></code><code class="sig-prename descclassname"> <span class="pre">*secondkeyringfile*</span></code><a class="headerlink" href="#cmdoption-ceph-authtool-import-keyring" title="Permalink to this definition">¶</a></dt>
<dd><p>把此选项所指定密钥环的内容导入密钥环（ keyringfile ）</p>
</dd></dl>

<dl class="std option">
<dt id="cmdoption-ceph-authtool-n">
<span id="cmdoption-ceph-authtool-name"></span><code class="sig-name descname"><span class="pre">-n</span></code><code class="sig-prename descclassname"></code><code class="sig-prename descclassname"><span class="pre">,</span> </code><code class="sig-name descname"><span class="pre">--name</span></code><code class="sig-prename descclassname"> <span class="pre">*name*</span></code><a class="headerlink" href="#cmdoption-ceph-authtool-n" title="Permalink to this definition">¶</a></dt>
<dd><p>指定要操作的条目名（ entityname ）</p>
</dd></dl>

<dl class="std option">
<dt id="cmdoption-ceph-authtool-a">
<span id="cmdoption-ceph-authtool-add-key"></span><code class="sig-name descname"><span class="pre">-a</span></code><code class="sig-prename descclassname"></code><code class="sig-prename descclassname"><span class="pre">,</span> </code><code class="sig-name descname"><span class="pre">--add-key</span></code><code class="sig-prename descclassname"> <span class="pre">*base64_key*</span></code><a class="headerlink" href="#cmdoption-ceph-authtool-a" title="Permalink to this definition">¶</a></dt>
<dd><p>把编码好的密钥加进密钥环</p>
</dd></dl>

<dl class="std option">
<dt id="cmdoption-ceph-authtool-cap">
<code class="sig-name descname"><span class="pre">--cap</span></code><code class="sig-prename descclassname"> <span class="pre">*subsystem*</span> <span class="pre">*capability*</span></code><a class="headerlink" href="#cmdoption-ceph-authtool-cap" title="Permalink to this definition">¶</a></dt>
<dd><p>设置指定子系统的能力</p>
</dd></dl>

<dl class="std option">
<dt id="cmdoption-ceph-authtool-caps">
<code class="sig-name descname"><span class="pre">--caps</span></code><code class="sig-prename descclassname"> <span class="pre">*capsfile*</span></code><a class="headerlink" href="#cmdoption-ceph-authtool-caps" title="Permalink to this definition">¶</a></dt>
<dd><p>在所有子系统内设置与给定密钥相关的所有能力</p>
</dd></dl>

<dl class="std option">
<dt id="cmdoption-ceph-authtool-mode">
<code class="sig-name descname"><span class="pre">--mode</span></code><code class="sig-prename descclassname"> <span class="pre">*mode*</span></code><a class="headerlink" href="#cmdoption-ceph-authtool-mode" title="Permalink to this definition">¶</a></dt>
<dd><p>给密钥环文件设置想要的文件模式，如 0644 ，默认是 0600 。</p>
</dd></dl>

</div>
<div class="section" id="id4">
<h2>能力<a class="headerlink" href="#id4" title="Permalink to this headline">¶</a></h2>
<p>subsystem 代表 Ceph 子系统的名字： <code class="docutils literal notranslate"><span class="pre">mon</span></code> 、 <code class="docutils literal notranslate"><span class="pre">mds</span></code> 、或
<code class="docutils literal notranslate"><span class="pre">osd</span></code> 。</p>
<p>能力是一个字符串，描述了允许此用户干什么。
格式为逗号分隔的允许声明列表，
此声明包含一或多个 rwx （分别表示读、写、执行权限）。
<code class="docutils literal notranslate"><span class="pre">allow</span> <span class="pre">*</span></code> 将在指定子系统下授予完整的超级用户权限。</p>
<p>例如：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># 可读、写、执行对象</span>
<span class="n">osd</span> <span class="o">=</span> <span class="s2">&quot;allow rwx&quot;</span>

<span class="c1"># 可访问 MDS 服务器</span>
<span class="n">mds</span> <span class="o">=</span> <span class="s2">&quot;allow&quot;</span>

<span class="c1"># 可更改集群状态（即它是服务器守护进程）</span>
<span class="n">mon</span> <span class="o">=</span> <span class="s2">&quot;allow rwx&quot;</span>
</pre></div>
</div>
<p>被限定到单个存储池的 librados 用户的能力大致如此：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">mon</span> <span class="o">=</span> <span class="s2">&quot;allow r&quot;</span>

<span class="n">osd</span> <span class="o">=</span> <span class="s2">&quot;allow rw pool foo&quot;</span>
</pre></div>
</div>
<p>一个 RBD 客户端有一个存储池的读权限和另一个存储池的读写权限：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">mon</span> <span class="o">=</span> <span class="s2">&quot;allow r&quot;</span>

<span class="n">osd</span> <span class="o">=</span> <span class="s2">&quot;allow class-read object_prefix rbd_children, allow pool templates r class-read, allow pool vms rwx&quot;</span>
</pre></div>
</div>
<p>权限最小化的文件系统客户端，其能力大致如此：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">mds</span> <span class="o">=</span> <span class="s2">&quot;allow&quot;</span>

<span class="n">osd</span> <span class="o">=</span> <span class="s2">&quot;allow rw pool data&quot;</span>

<span class="n">mon</span> <span class="o">=</span> <span class="s2">&quot;allow r&quot;</span>
</pre></div>
</div>
</div>
<div class="section" id="osd">
<h2>OSD 能力<a class="headerlink" href="#osd" title="Permalink to this headline">¶</a></h2>
<p>一般来说， OSD 能力遵循以下语法：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">osdcap</span>  <span class="o">:=</span> <span class="n">grant</span><span class="p">[,</span><span class="n">grant</span><span class="o">...</span><span class="p">]</span>
<span class="n">grant</span>   <span class="o">:=</span> <span class="n">allow</span> <span class="p">(</span><span class="n">match</span> <span class="n">capspec</span> <span class="o">|</span> <span class="n">capspec</span> <span class="n">match</span><span class="p">)</span>
<span class="n">match</span>   <span class="o">:=</span> <span class="p">[</span> <span class="n">pool</span><span class="p">[</span><span class="o">=</span><span class="p">]</span><span class="o">&lt;</span><span class="n">poolname</span><span class="o">&gt;</span> <span class="o">|</span> <span class="n">object_prefix</span> <span class="o">&lt;</span><span class="n">prefix</span><span class="o">&gt;</span>
            <span class="o">|</span> <span class="n">namespace</span><span class="p">[</span><span class="o">=</span><span class="p">]</span><span class="o">&lt;</span><span class="n">rados</span><span class="o">-</span><span class="n">namespace</span><span class="o">&gt;</span>
            <span class="o">|</span> <span class="n">tag</span> <span class="o">&lt;</span><span class="n">application</span><span class="o">-</span><span class="n">name</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="n">key</span><span class="o">&gt;=&lt;</span><span class="n">value</span><span class="o">&gt;</span> <span class="p">]</span>
<span class="n">capspec</span> <span class="o">:=</span> <span class="o">*</span> <span class="o">|</span> <span class="p">[</span><span class="n">r</span><span class="p">][</span><span class="n">w</span><span class="p">][</span><span class="n">x</span><span class="p">]</span> <span class="p">[</span><span class="n">class</span><span class="o">-</span><span class="n">read</span><span class="p">]</span> <span class="p">[</span><span class="n">class</span><span class="o">-</span><span class="n">write</span><span class="p">]</span>
</pre></div>
</div>
<p>capspec 决定了此实体可执行哪些操作：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>r           = 可读取对象
w           = 可写入对象
x           = 可调用任何类方法（等同于 class-read 、 class-write ）
class-read  = 可调用读数据的类方法
class-write = 可调用写数据的类方法
* 或 all    = 等价于 rwx ，另外还可运行 OSD 管理命令，即 ceph osd tell ...
</pre></div>
</div>
<p>匹配规则限制了授权是基于被访问存储池的，
客户端满足匹配条件时授权会叠加。
例如，假设客户端的 OSD 能力为： “allow r object_prefix prefix, allow w pool foo, allow x pool bar” ，那么它有 foo 存储池的读写权限（ rw ）、有 bar 存储池的读和执行权限（ rx ）、还有任意存储池中以 prefix 打头的对象的读（ r ）权限。</p>
</div>
<div class="section" id="id5">
<h2>能力文件的格式<a class="headerlink" href="#id5" title="Permalink to this headline">¶</a></h2>
<p>能力配置文件是格式化的零或多个键值对，每条一行。键和值以 <code class="docutils literal notranslate"><span class="pre">=</span></code>
分隔，且值内包含空格时必须用 <code class="docutils literal notranslate"><span class="pre">'</span></code> 或 <code class="docutils literal notranslate"><span class="pre">&quot;</span></code> 包起来。键是某个
Ceph 子系统（ <code class="docutils literal notranslate"><span class="pre">osd</span></code> 、 <code class="docutils literal notranslate"><span class="pre">mds</span></code> 、 <code class="docutils literal notranslate"><span class="pre">mon</span></code> ），值是能力字符串（见上文）。</p>
</div>
<div class="section" id="id6">
<h2>实例<a class="headerlink" href="#id6" title="Permalink to this headline">¶</a></h2>
<p>给 client.foo 生成密钥并新建密钥环、且文件模式为 0644 ：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span><span class="o">-</span><span class="n">authtool</span> <span class="o">-</span><span class="n">C</span> <span class="o">-</span><span class="n">n</span> <span class="n">client</span><span class="o">.</span><span class="n">foo</span> <span class="o">--</span><span class="n">gen</span><span class="o">-</span><span class="n">key</span> <span class="n">keyring</span> <span class="o">--</span><span class="n">mode</span> <span class="mi">0644</span>
</pre></div>
</div>
<p>给此密钥关联一些能力（也就是挂载 Ceph 文件系统的能力）：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span><span class="o">-</span><span class="n">authtool</span> <span class="o">-</span><span class="n">n</span> <span class="n">client</span><span class="o">.</span><span class="n">foo</span> <span class="o">--</span><span class="n">cap</span> <span class="n">mds</span> <span class="s1">&#39;allow&#39;</span> <span class="o">--</span><span class="n">cap</span> <span class="n">osd</span> <span class="s1">&#39;allow rw pool=data&#39;</span> <span class="o">--</span><span class="n">cap</span> <span class="n">mon</span> <span class="s1">&#39;allow r&#39;</span> <span class="n">keyring</span>
</pre></div>
</div>
<p>查看密钥环内容：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span><span class="o">-</span><span class="n">authtool</span> <span class="o">-</span><span class="n">l</span> <span class="n">keyring</span>
</pre></div>
</div>
<p>挂载 Ceph 文件系统时，你可以用此命令获取编码好的私钥：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>mount -t ceph serverhost:/ mountpoint -o name=foo,secret=`ceph-authtool -p -n client.foo keyring`
</pre></div>
</div>
</div>
<div class="section" id="id7">
<h2>使用范围<a class="headerlink" href="#id7" title="Permalink to this headline">¶</a></h2>
<p><strong class="program">ceph-authtool</strong> 是 Ceph 的一部分，这是个伸缩力强、开源、分布式的存储系统，更多信息参见 <a class="reference external" href="https://docs.ceph.com">https://docs.ceph.com</a> 。</p>
</div>
<div class="section" id="id8">
<h2>参考<a class="headerlink" href="#id8" title="Permalink to this headline">¶</a></h2>
<p><a class="reference internal" href="../ceph/"><span class="doc">ceph</span></a>(8)</p>
</div>
</div>



           </div>
           
          </div>
          <footer>
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
        <a href="../ceph-clsinfo/" class="btn btn-neutral float-right" title="ceph-clsinfo – 查看类对象信息" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
        <a href="../ceph/" class="btn btn-neutral float-left" title="ceph – Ceph 管理工具" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>
        &#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).

    </p>
  </div> 

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>